Remove env changing support in daemon mode

It introduced a security issue since these env vars are not filtered by either sudo or rootwrap. This change reverts changes in common code from Iace26738f910a18a5d1d3479fad949027e5a3816 (most of them) and purges ability to specify env in arguments for daemon. Environment should be provided to callee process using EnvFilter and /usr/bin/env. Change-Id: Iafbc493d6158f3ea85b3d74cb37c29e161a1099f
2015-03-04 14:50:25 +03:00 · 2015-03-04 14:50:25 +03:00 · f485b93f47
commit f485b93f47
parent 8472c5e363
7 changed files with 10 additions and 33 deletions
--- a/README.rst
+++ b/README.rst
@ -338,8 +338,6 @@ The class provides one method ``execute`` with following arguments:
 * ``userargs`` - list of command line arguments that are to be used to run the
  command;
 * ``env`` - dict of environment variables to be set for it (by default it's an
  empty dict, so all environment variables are stripped);
 * ``stdin`` - string to be passed to standard input of child process.
 The method returns 3-tuple containing:
--- a/oslo_rootwrap/client.py
+++ b/oslo_rootwrap/client.py
@ -127,12 +127,12 @@ class Client(object):
                self._initialize()
            return self._proxy
-    def execute(self, cmd, env=None, stdin=None):
+    def execute(self, cmd, stdin=None):
        self._ensure_initialized()
        proxy = self._proxy
        retry = False
        try:
-            res = proxy.run_one_command(cmd, env, stdin)
+            res = proxy.run_one_command(cmd, stdin)
        except (EOFError, IOError):
            retry = True
        # res can be None if we received final None sent by dying server thread
@ -140,5 +140,5 @@ class Client(object):
        # at this point.
        if retry or res is None:
            proxy = self._restart(proxy)
-            res = proxy.run_one_command(cmd, env, stdin)
+            res = proxy.run_one_command(cmd, stdin)
        return res
--- a/oslo_rootwrap/daemon.py
+++ b/oslo_rootwrap/daemon.py
@ -43,16 +43,12 @@ class RootwrapClass(object):
        self.config = config
        self.filters = filters
-    def run_one_command(self, userargs, env=None, stdin=None):
+    def run_one_command(self, userargs, stdin=None):
        if env is None:
            env = {}
        obj = wrapper.start_subprocess(
            self.filters, userargs,
            exec_dirs=self.config.exec_dirs,
            log=self.config.use_syslog,
            close_fds=True,
            env=env,
            stdin=subprocess.PIPE,
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE)
--- a/oslo_rootwrap/filters.py
+++ b/oslo_rootwrap/filters.py
@ -57,9 +57,9 @@ class CommandFilter(object):
            return ['sudo', '-u', self.run_as, to_exec] + userargs[1:]
        return [to_exec] + userargs[1:]
-    def get_environment(self, userargs, env=None):
+    def get_environment(self, userargs):
        """Returns specific environment to set, None if none."""
-        return env
+        return None
 class RegExpFilter(CommandFilter):
@ -277,10 +277,8 @@ class EnvFilter(CommandFilter):
        to_exec = self.get_exec(exec_dirs=exec_dirs) or self.exec_path
        return [to_exec] + self.exec_args(userargs)[1:]
-    def get_environment(self, userargs, env=None):
+    def get_environment(self, userargs):
-        if env is None:
+        env = os.environ.copy()
            env = os.environ
        env = env.copy()
        # ignore leading 'env'
        if userargs[0] == 'env':
--- a/oslo_rootwrap/tests/test_functional.py
+++ b/oslo_rootwrap/tests/test_functional.py
@ -162,13 +162,6 @@ class RootwrapDaemonTest(_FunctionalBase, testtools.TestCase):
        # Expect client to succesfully restart daemon and run simple request
        self.test_run_once()
    def test_env_setting(self):
        code, out, err = self.execute(['sh', '-c', 'echo $SOMEVAR'],
                                      env={'SOMEVAR': 'teststr'})
        self.assertEqual(0, code)
        self.assertEqual(b'teststr\n', out)
        self.assertEqual(b'', err)
    def _exec_thread(self, fifo_path):
        try:
            # Run a shell script that signals calling process through FIFO and
--- a/oslo_rootwrap/wrapper.py
+++ b/oslo_rootwrap/wrapper.py
@ -190,8 +190,7 @@ def _getlogin():
                os.getenv('LOGNAME'))
-def start_subprocess(filter_list, userargs, exec_dirs=[], log=False,
+def start_subprocess(filter_list, userargs, exec_dirs=[], log=False, **kwargs):
                     env=None, **kwargs):
    filtermatch = match_filter(filter_list, userargs, exec_dirs)
    command = filtermatch.get_command(userargs, exec_dirs)
@ -202,6 +201,6 @@ def start_subprocess(filter_list, userargs, exec_dirs=[], log=False,
    obj = subprocess.Popen(command,
                           preexec_fn=_subprocess_setup,
-                           env=filtermatch.get_environment(userargs, env=env),
+                           env=filtermatch.get_environment(userargs),
                           **kwargs)
    return obj
--- a/tests/test_functional.py
+++ b/tests/test_functional.py
@ -166,13 +166,6 @@ class RootwrapDaemonTest(_FunctionalBase, testtools.TestCase):
        # Expect client to succesfully restart daemon and run simple request
        self.test_run_once()
    def test_env_setting(self):
        code, out, err = self.execute(['sh', '-c', 'echo $SOMEVAR'],
                                      env={'SOMEVAR': 'teststr'})
        self.assertEqual(0, code)
        self.assertEqual(b'teststr\n', out)
        self.assertEqual(b'', err)
    def _exec_thread(self, fifo_path):
        try:
            # Run a shell script that signals calling process through FIFO and